>
> On Thu, 23 Dec 1999, Justin Cormack wrote:
>
> > I have recently upgraded some machines to RH 6.1 and have noticed an
> > alarming tendency for dialog boxes to appear saying please type the
> > root password.
>
> > This really is not acceptable. Any old trojan horse program can do this
> > and get the password. It may be designed to make things easier for
> > new users, but they need to understand about su/logging in as root.
>
> If there is a trojan in your path you've been compromised already. You
> would need to be breached to get the trojan in your path in the first
> place. Even if you didn't, blocking a single way for a malicious program
> to burn you doesn't stop the other n ways. The value of n is very
> large...
That does not make it the right way to do things. 90%+ of users of a Linux
system will normally not know the root password anyway (or indeed the system
may use kerberos or sudo so root passwords should be unnecessary). Asking
for a root password just because you have inserted a RH disk in the CD
drive is simply wrong, against any sensible way of teaching new users about
security.
And you wouldnt need security to be breached to have a Trojan: a naive user
could install any old program (Word for Linux say...) which just happened
to ask for the password and would not realise why the program should or should
not need the password.
Justin
--
To unsubscribe:
mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
